[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: Using Groups to Limit Authentication to Network Devices
From:       Doug Warner <doug () warner ! fm>
Date:       2010-03-27 11:56:09
Message-ID: 4BADF259.8030109 () warner ! fm
[Download RAW message or body]

[Attachment #2 (multipart/signed)]


On 03/27/2010 01:46 AM, Peter Lambrechtsen wrote:
> On Sat, Mar 27, 2010 at 3:00 AM, Doug Warner <doug@warner.fm
> <mailto:doug@warner.fm>> wrote:
> 
>     I'm trying to setup freeradius to authenticate users via LDAP but
>     pull group
>     information via MySQL.  I currently only need radius for
>     authentication to
>     network devices (switches, PDUs, etc) but want to make sure I set it
>     up so
>     that I don't shoot myself in the foot later.
> 
>     In trying to get the correct attributes assigned to a group I've
>     noticed that
>     I need to set Fall-Through on each group that a user belongs to in
>     order to
>     have later groups evaluated.  Is there a better way that I can say
>     something
>     like, "this client should check for access from these groups" so
>     that I only
>     need to set Fall-Through on certain groups instead of all?
> 
> 
> Why not just use LDAP all together for your group based auth.  This is
> how I do it and it works well, and doesn't need any schema extensions.
> 
> http://lists.freeradius.org/mailman/htdig/freeradius-users/2009-November/msg00001.html
> 
> Then all you have to do is modify the hostgroups & postauth_users file
> when you add new NAS's.

I don't have control over the LDAP server at all so I can't change what groups
people are in.

I think I've managed to get things working by setting up a huntgroup with the
SQL-Group set to check that the user is in a specific group.  I then have the
users file set up to assign the appropriate attributes to the huntgroup.

-Doug


["signature.asc" (application/pgp-signature)]

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

[prev in list] [next in list] [prev in thread] [next in thread]